I'm looking for some final final help, and that is: how can I generate a certificate for Microsoft Outlook, so that I cna use postfix in TLS (SSL) mode? I know I need to export in p12 format using openssl but I just don't know the correct parameters.

I can export a certificate, and import it on WIndoze (via Internet Explorer), and I have chanegd /etc/postfix/main.cf to have smtpd_tls_auth_only = yes, but when I send within Outlook i get the annoying "certificate isn;t trusted do you want to continue" - with every message I send! Obviosuly I'd like to suppress that message as I know the server is trusted.

My certificates are self-signed, as per the instructions in the howto. When you send to that mailserver using SSL Outlook prompts you with:

"The server you are connecting to is using a security certificate that could not be verified.

A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.

Do you want to contiune using this server?"

If you choose YES then you can send through the mailserver quite happily. But as soon as you quit Outlook and restart it, you get the warning again. Which is obviously a PITA.

The internet is absolutely riddled with similar questions (search google for Outlook root certificate "could not be verified") but I just cannot find a definitive answer which matches the steps I've gone through in the howto.

i.e. the HOWTO tells me how to setup the server, but I need to final steps to create the certificate for import into the client.

Then import the OutlookSMTP.p12 file into the Trusted Root Certification Authorities store within Internet Explorer (Tools -> Internet Options -> Content -> Certificates, or by just double-clicking it). You will then be free to establish an SSL connection within Outlook to enforce tighter security.

Hope this helps others. Perhaps this HOWTO could be edited to put this as an optional step?